Companies must anticipate, prepare for insider breaches

While high-profile cyberattacks and instances of hactivism are more likely to capture headlines these days, a business must still be cautious of another type of threat that could prove devastating to its reputation as well as its bottom line – insiders.

Internal data breaches are far less common than external incidents. According to Verizon’s 2011 Data Breach Investigations Report, only 17 percent of data breaches in the last year implicated insiders, while 92 percent stemmed from external agents.

However, this is not to suggest that insider threats should be ignored. Earlier this year, Bank of America lost more than $10 million when an insider sold customer information to criminals. Meanwhile, dozens of healthcare providers, schools and other organizations have been subject to criticism – and often fines – for exposing sensitive information on the Internet or through other channels.

Generally, insider data breaches stem from two types of incidents: accidental error and malicious action. While the latter is more likely to keep IT security practitioners up at night, both can have a significant impact on a company’s operations and therefore must be addressed in order to mitigate any damage or risk.

According to a recent whitepaper from technology news provider IDG, two types of employees are typically responsible for malicious insider threats. The most obvious one is the untrusted insider, which describes a person who is not authorized to access certain computer systems or networks but manages to compromise company data through improperly obtained credentials and backdoor exploits.

Sometimes, an untrusted insider is planted within a company by an outsider looking to exploit or sabotage an organization. The report pointed out that, though fairly rare, this type of insider is difficult to prepare for, as he or she will generally ignore data security policies and procedures to steal information.

The other type of malicious employee is the “trusted witting insider,” who uses legitimate access to “provide privileged information to an unauthorized party,” the report noted. This type of employee is often harder to detect that the untrusted insider, because he or she has generally risen through the ranks of the company and earned the respect of fellow employees. However, the trusted witting employee often describes a person who has become disgruntled with the company and is therefore looking to use his or her insider knowledge to cause harm or for personal gain.

Both of these malicious threats can be difficult to safeguard against, as security policies and authorization credentials are rendered useless. However, a company may improve its chances of detecting such threats through network monitoring tools and other technical controls.

The final insider threat is what IDG called the “unwitting trusted employee.” This is perhaps the most common type of insider threat, as it can apply to virtually any employee. It is not uncommon for an employee – whether motivated to get a job done quickly or simply unaware of policies – to sidestep data security procedures and, thus, accidentally put sensitive company data in harm’s way.

This too can be difficult to prepare for, as a company cannot predict when an otherwise competent employee will slip up. While technical and access controls are the best options for preventing such incidents, stressing a company’s security policies can also be hugely beneficial.

Insider breaches do appear to be on the decline. According to Verizon, the number of breaches implicating insiders slid by 31 percent between 2010 and 2011. However, such occurrences will never disappear entirely, so it is important that businesses anticipate insider breaches and do what they can to mitigate any damages that may result.